SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations

Defence Evasion (TA0005)

Sub-technique: T1070.001 - Clear Windows Event Logs

Objective: Detect attempts to clear event logs to evade detection.

  1. Detect Security Log Cleared Events

DeviceEvents
| where ActionType == "SecurityLogCleared"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Identify when security logs are cleared.

  1. Detect System Log Cleared Events

DeviceEvents
| where ActionType == "SystemLogCleared"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Monitor for system log clearing.

  1. Detect Application Log Cleared Events

DeviceEvents
| where ActionType == "ApplicationLogCleared"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCreationTime, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Identify when application logs are cleared.

  1. Monitor for Log Deletion Commands

DeviceProcessEvents
| where ProcessCommandLine has "wevtutil cl"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Detect usage of log clearing commands.

  1. Identify Unauthorized Log Clearing Attempts

DeviceProcessEvents
| where ProcessCommandLine has_any ("clear", "delete") and InitiatingProcessAccountName != "Administrator"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Detect log clearing attempts by non-administrative users.

  1. Monitor for Event Log Service Restarts

DeviceServiceEvents 
| where ServiceName == "EventLog" and ActionType == "StartService" 
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Identify restarts of the Event Log service.

  1. Detect Cleared Logs via PowerShell

DeviceProcessEvents
| where ProcessCommandLine has "Clear-EventLog"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessFolderPath

Purpose: Monitor PowerShell commands used to clear event logs.

  1. Suspicious Access to Event Log Files

DeviceFileEvents
| where FolderPath has "System32\\winevt\\Logs"
| summarize event_count = count() by FileName, DeviceName
| where event_count > 1

Purpose: Identify suspicious access to log files.

  1. Detect Log Clearing via Script

DeviceProcessEvents
| where ProcessCommandLine has_any (".bat", ".cmd") and ProcessCommandLine has "wevtutil"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName

Purpose: Detect scripts used to clear event logs.

  1. Monitor Changes to Audit Policy

DeviceRegistryEvents
| where RegistryKey has "HKLM\\System\\CurrentControlSet\\Services\\EventLog\\Security"
| project Timestamp, DeviceName, RegistryKey, ActionType

Purpose: Monitor changes to audit policies that could impact logging.

PreviousPrivilege Escalation (TA0004)NextCredential Access (TA0006)

Last updated